4

My network have about 8 thousand user, who work in multiple buildings. There is frequent employee turnover, which currently forces changes in the configuration of vlans on the switch ports. In addition, we have many device manufacturers in the organization such as Juniper, HP/Aruba, Cisco, TP-Link and Huawei.

I would like to use only a few vlans on a switch: VoIP, printers, internal network (intranet). Internet access only via VPN after authentication. I need to collect logs (IP <-> user) - applicable laws in my country. We have a radius server in the organization that I can use to authorize users.

Is it possible to build a VPN cluster based on open source software? - I need HA solutions.

I am also open to other suggestions to solve my problem.

Zac67
  • 10,320
  • 2
  • 12
  • 32
Qmails
  • 41
  • 2
  • 9
    Why on earth don't you move to 802.1x? That lets you authenticate clients connected to each port. With 8k users that seems like a nobrainer? – vidarlo Jan 02 '23 at 21:43
  • 12
    Why does user turnover require you to reconfigure your VLAN's? – joeqwerty Jan 02 '23 at 21:51
  • 1
    Yes. Multiple buildings do not demand VLAN - so, essentially unless you provide more info that is a non logical setup. – TomTom Jan 02 '23 at 22:11
  • 3
    I would think about the problem in a totally different way: you’re supporting 8,000+ users in a campus network environment and you know enough to understand the current design has serious flaws and you’re not sure how to improve the design. If I were in your shoes I would contract a networking expert or company that knows more than I do to design and deploy a better network topology that fulfills the business needs. – Todd Wilcox Jan 03 '23 at 14:48
  • @TomTom Well, 8k clients implies at least 8k access ports. Unless you propose stuffing them all into a single broadcast domain (don't), it's either VLANs or separate local LANs routed on L3. The latter requires at least OSPF for redundancy/failover plus a bunch of traffic rules to get per-user access control, which might be somewhat harder to set up that OP would like. – TooTea Jan 03 '23 at 22:46
  • Well, being a campus you know, ROUTING would be the normal solution. Given that this ends maybe on a building/floor level it will be a LOT - significantly - easier to manage than VLAN. – TomTom Jan 04 '23 at 06:23

1 Answers1

14

There is frequent employee turnover, which currently forces changes in the configuration of vlans on the switch ports.

As it seems, you might be using port-based VLANs instead of privilege groups. That isn't only very cumbersome, it's also not secure. (Any user could replug their computer to another jack to change their security level.)

Instead, you should either be using port-level security like IEEE 802.1X, where a user authenticates to the network and only then are they associated with a VLAN or security level.

Alternatively, some solutions allow you to identify (Windows) users on a firewall and apply rules based on that identity and its group memberships (sometimes called single sign on, IAM or simply AAA). In case your servers are located within the users' VLANs you should move them out, to one or more VLANs of their own - then you control access to them on the firewall, based on user group membership. And there's no need for different privilege-level user VLANs at all.

As to product recommendations, those are explicitly off topic here, sorry. Terminating 8k users with a software solution would very likely require a cluster of VPN servers/gateways though. The concepts suggested above should be much lower maintenance.

Zac67
  • 10,320
  • 2
  • 12
  • 32